4595899f7f
This adds the new API endpoint to create, update, and delete role-based access control entries. These entries enable tenants to grant access to other tenants to perform an action on an object they do not own. This was previously done using a single 'shared' flag; however, this was too coarse because an object would either be private to a tenant or it would be shared with every tenant. In addition to introducing the API, this patch also adds support to for the new entries in Neutron networks. This means tenants can now share their networks with specific tenants as long as they know the tenant ID. This feature is backwards-compatible with the previous 'shared' attribute in the API. So if a deployer doesn't want this new feature enabled, all of the RBAC operations can be blocked in policy.json and networks can still be globally shared in the legacy manner. Even though this feature is referred to as role-based access control, this first version only supports sharing networks with specific tenant IDs because Neutron currently doesn't have integration with Keystone to handle changes in a tenant's roles/groups/etc. DocImpact APIImpact Change-Id: Ib90e2a931df068f417faf26e9c3780dc3c468867 Partially-Implements: blueprint rbac-networks |
||
|---|---|---|
| .. | ||
| api-paste.ini.test | ||
| neutron.conf | ||
| policy.json | ||